Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

IPSEC vpn with SD-WAN

We are new Fortigate users and switching from Sonicwall firewalls. I've been using our demo unit for a couple weeks now and have successfully configured the SD-WAN to work with both of our internet circuits. I understand how that works but what I would like to do is configure it to load balance ipsec vpn traffic.


At our datacenter we have a Sonicwall but at multiple sites they are going to be switched from Sonicwall to Fortigate's. Each site has one cable/dsl circuit as a backup and a fiber circuit as a primary. The fiber circuit has less bandwidth but obviously is more stable.


Our end goal is to be able to load balance and direct traffic across the VPN to our datacenter based on specific ports. For example we would want Citrix ICA traffic to take the circuit with less latency while other traffic utilize whatever is available. Is this possible? If it isn't possible since we have a Sonicwall at the datacenter end, is it possible if we had Fortinet's instead?

New Contributor

I ended up finding this article which is what it looks like I'm wanting (except I don't have a Fortigate at each end right now):


Attempting to get it working but unsuccessful so far.

Esteemed Contributor III

A  virt-wan link will probably not help. The only firewall that I know of that load balance   ipsec native & across multiple ipsec-tunnel is forcepoint btw.


What you might beable to do is to build  multiple route-base  vpntunnel and   run   OSPF for ECMP between the  peer and hubs. I would lab that out if you have a spoke that you can use and see if that is doable.


Ken Felix





PCNSE NSE StrongSwan
New Contributor

I'm able to use SD-WAN to load balance IPSec VPN tunnels when it's configured with SD-WAN the same way at the two ends. My problem is when I have more than 7 tunnels I get some "reverse path check failed, drop" but with 7 tunnels or less it works fine. I didn't really try to load balance some type of trafic on one link and the rest on the other one but I think it should work. I simply use one VPN and if I get a packet loss over 1% all traffic goes to the other VPN. I do the same with Internet links.


It seems like the over 7 tunnels is a firmware issue.

Fortigate : 80E, 80F, 100E, 200F, 300E : 6.4.6

FortiAnalyzer, ForticlientEMS

Fortigate : 80E, 80F, 100E, 200F, 300E : 6.4.6 FortiAnalyzer, ForticlientEMS

We had configured separate VPN tunnels for each ISP interface (fiber/copper) and set the fiber VPN tunnel as primary and the copper VPN tunnel to monitor the primary tunnel.  Once the secondary tunnel detect the primary tunnel went down, the secondary tunnel will take over and activate itself.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors